IBM Support

Security Bulletin: Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU plus CVE-2020-27221

Security Bulletin


Summary

Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU CVE-2020-14803 plus CVE-2020-27221

Vulnerability Details

CVEID:   CVE-2020-14803
DESCRIPTION:   An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190121 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2020-27221
DESCRIPTION:   Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
DB2 Query Management Facility for z/OS11.2.1
DB2 Query Management Facility for z/OS12.1
Query Management Facility Classic Edition11.1
DB2 Query Management Facility for z/OS12.2
Query Management Facility Enterprise Edition11.1
DB2 Query Management Facility for z/OS11.2
DB2 Query Management Facility for z/OS11.1

Remediation/Fixes

Please see "Workarounds and Mitigations"

Workarounds and Mitigations

Use the following instructions to download the latest JRE version from the IBM Java download portal and replace it with the JRE you are currently invoking.

Steps to update Java - QMF for Workstation:

  1. Download JRE 8.0.6.5 version from IBM Java download portal.
  2. Close QMF for workstation , if any instance is running.
  3. Copy 8.0.6.5 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
  4. Start application

 

Steps to update Java - QMF Vision: 

1. Go to: https://adoptopenjdk.net/releases.html

2. Download Open JDK 8(LTS) and extract the files to a temporary location.

3. Stop the following Windows services:

    - IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)

    - QMFServerLite

4. Delete

      C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.

      Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.

5. Copy content of downloaded jre from the temporary location (step # 2) to

      C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.

6. Rename folder jre1.8.0_131 to jre.

      Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference #

      0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant

      services,

      Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785


7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\, edit the following 6 files:

elasticsearch/bin/install.bat

elasticsearch/bin/start.bat

elasticsearch/bin/stop.bat

elasticsearch/bin/uninstall.bat

qmfserver/bat/setenv.bat

qmfserver/conf/wrapper.conf

              For each file, replace "jre1.8.0_131" with "jre", and save.

8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.

9. Execute:

uninstall.bat

install.bat

10. Change directory to qmfserver/bat.

11 Execute:

uninstallService.bat

installService.bat.

12. In the Windows Services console, edit "IBM QMF Vision Indexing Service" to change startup type from

      "Manual" to "Automatic".

13. Restart Windows Services:

    - IBM QMF Vision Indexing Service

    - IBM QMF Vision Web Service

    - QMFServerLite

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

02 Apr 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS9UMF","label":"DB2 Query Management Facility"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"11.1; 11.2; 11.2.1; 12.1; 12.2 ","Edition":""}]

Document Information

Modified date:
02 April 2021

Initial Publish date:
02 April 2021

UID

ibm16439991

Page Feedback